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Attorney's Docket No. 018773-030 
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In re Patent Application of 
Noriko TAKEDA et al. 
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Group Art Unit: Unassigned 
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PRELIMINARY AMENDMENT 

Assistant Commissioner for Patents 
Washington, D.C. 20231 

Sir: 

Prior to examination of the above-captioned patent application, kindly enter the 
following amendment. 



IN THE SPECIFICATION: 

Kindly replace the paragraph beginning at page 2, line 1, with the following: 
— On transferring data via the Internet, IP security compliant system is used for 
preventing an attack from the outside. Here, IP security means security securing system at 
IP packet level, defined by the IETF (Internet Engineering Task Force) which is a 
standardization organization for the Internet communication rules. - 



IN THE CLAIMS: 

Kindly replace Claim 9 as follows. 
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9. The encryptor of claim 7, wherein the communication management table includes a 
public key, and 

the encryptor further comprising: 
a secret key for secret communication exchanger for sharing a secret key for secret 
communication used for secret communication with the other encryptor through the 
Internet, with the other encryptor by using the public key included in the communication 
management table of the encryptor side. 

Kindly replace Claim 10 as follows. 

10. The encryptor of claim 7, wherein the communication management table includes a 
public key, and 

the encryptor further comprising: 
an certification key for secret communication exchanger for sharing an certification 
key for secret communication used for secret communication with the other encryptor 
through the Internet, with the other encryptor by using the public key included in the 
communication management table of the encryptor side. 
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REMARKS 

By way of the foregoing amendments to the specification errors have been corrected 
to improve the form of the application. No new matter has been introduced. 

Early and favorable consideration with respect to this application is respectfully 
requested. 

These changes have been made in accordance with 37 C.F.R. § 1.121 as amended 
on November 7, 2000. 

Should any questions arise in connection with this application, the undersigned 
respectfully requests that he be contacted at the number indicated below. 



Respectfully submitted, 



Burns, Doane, Swecker& Mathis, l.l.p. 



By: 




Platon N. Mandros 
Registration No. 22,124 



P.O. Box 1404 

Alexandria, Virginia 22313-1404 
(703) 836-6620 



Date: August 3, 2001 
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Attachment to Preliminary Amendment dated August 3. 2001 
Marked-up Copy 

Page 2, Paragraph Beginning at Line 1 
On transferring data via the Internet, IP [securuty] security compliant system is used 
for preventing an attack from the outside. Here, IP [securuty] security means security 
securing system at IP packet level, defined by the IETF (Internet Engineering Task Force) 
which is a standardization organization for the Internet communication rules. 
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Attachment to Preliminary Amendment dated August 3. 2001 
Marked-up Claims 

9. The encryptor of claim 7, wherein the communication management table includes a 
public key, and 

the encryptor further comprising: 
a secret key for secret [key] communication exchanger for sharing a secret key for 
secret communication used for secret communication with the other encryptor through the 
Internet, with the other encryptor by using the public key included in the communication 
management table of the encryptor side. 

Kindly replace Claim 10, and add new Claim 10, as follows. 

10. The encryptor of claim 7, wherein the communication management table includes a 
public key, and 

the encryptor further comprising: 
an certification key for secret [key] communication exchanger for sharing an 
certification key for secret communication used for secret communication with the other 
encryptor through the Internet, with the other encryptor by using the public key included in 
the communication management table of the encryptor side. 
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ENGLISH TRANSLATION FOR PCT/JP00/00474 
SPECIFICATION 

Communication Management Table Transfer System, Manager, Encryptor, 
and Communication Management Table Transfer Method 



Technical Field 

The present invention relates to a communication management table 
transfer system including plural encryptors mutually connected through the 
Internet and a manager managing communication management table used 
10 by the plural encryptors for communication, and further relates to 
improvement of the security and the performance of the communication. 

Background Art 



15 become popular. The VPN is a network in which a public network such as 
the Internet is virtually utilized as a private network using security 
technique such as encryption of data or authentication of a user. The 
virtual private network system enables to connect plural organizations 
through the public network as if they use exclusive communication lines like 

20 their internal network. 

Fig. 13 shows an example of the virtual private network system. A 
reference numeral 1 shows the Internet, 11, 21, and 31 are encryptors, 12, 22, 
and 32 are routers, 13, 23, and 33 are firewalls, 14, 24, and 34 are subnets 
(internal networks), 15, 25, and 35 show communication terminals, and 36 

25 shows a manager. These elements are connected as shown in the figure. 
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Recently, system employing Virtual Private Network (VPN) has 
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On transferring data via the Internet, IP securuty compliant system 
is used for preventing an attack from the outside. Here, IP securuty means 
security securing system at IP packet level, defined by the IETF (Internet 
Engineering Task Force) which is a standardization organization for the 
5 Internet communication rules. 

In the IP securuty system, data transfer is performed after relation 
so-called SA (Security Association) is established between the encryptors of 
each internal network. By doing this, secret communication becomes 
possible. However, to establish SA requires to share a public key among the 
10 encryptors as a premise. 

Further, in order to transfer data to the communication terminal of 
the internal network, it is necessary to know information of configuration of 
each internal network. 

Accordingly, a communication management table including the 
15 public key and the configuration information of the internal network is 
generated, and the communication management tables are exchanged 
between the encryptors before establishing SA. The manager 36 is provided 
for generating, updating, and distributing the communication management 
table. 

20 Conventionally, upon request from the encryptor, the manager 36 

distributes the communication management table to the encryptor 
unconditionally. 

Fig. 14 shows a transfer process of the communication management 
table on turning electric power on according to the related art. When an 
25 encryptor All is powered on, the encryptor All sends an encryptor 
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initialization notice (S101). When the manager 36 receives the encryptor 
initialization notice (S101), the manager 36 sends a response to the 
encryptor initialization notice (S102). On receiving the response to the 
encryptor initialization notice (S102), the encryptor All issues a command to 
5 obtain the communication management table (S103) unconditionally, and the 
communication management table is thus transferred (S104). 

Fig. 15 shows a transfer process of the communication management 
table on rebooting according to the related art. The manager 36 sends a 
reboot instruction (S201), and the encryptor All is rebooted after the 
10 encryptor All sends a response to the reboot instruction (S202). 
Hereinafter, the operation will be the same as one shown in Fig. 14. 

In the above -de scribed system, the number of transferring the 
communication management table is large, which decreases the performace 
of data transfer. 

15 Further, there is another problem with respect to the security of the 

communication, that is, the number of chances may be increased that the 
communication management table is stolen by an improper user. Namely, 
the public key or the configuration information of the internal network may 
be stolen, and the secrecy of the data transfer between the encryptors cannot 

20 be secured. 

The present invention is provided to eliminate the above 
conventional problems. The invention aims to reduce the number of 
transferring the communication management table, improve the 
performance of data transfer, reduce the chances of improper use of the 
25 communication management table, and thus the security of the 
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communication can be increased. 

Disclosure of the Invention 

According to the present invention, a communication management 
5 table transfer system includes: 

plural encryptors connected to each other through Internet; and 

a manager which manages the communication management table 
used for communication among the plural encryptors, 

wherein each of the plural encryptors includes: 
10 a communication management table memory of an encryptor side for 

storing a communication management table of the encryptor side which is 
the communication management table to be stored in the each of the plural 
encryptors; 

a communication management table version memory of the 
15 encryptor side for storing a communication management table version of the 
encryptor side which is a version of the communication management table of 
the encryptor side; and 

a communication management table version sender for sending the 
communication management table version of the encryptor side to the 
20 manager, 

wherein the manager includes: 

a communication management table memory of a manger side for 
storing a communication management table of the manager side which is the 
communication management table to be stored in the manager; 
25 a communication management table version memory of the manager 
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side for storing a communication management table version of the manager 
side which is a version of the communication management table of the 
manager side; 

a communication management table version receiver for receiving 
5 the communication management table version of the encryptor side from the 
encryptor; 

a communication management table version checker for checking 
and finding mismatch of the communication management table version of 
the encryptor side received and the communication management table 
10 version of the manager side; and 

a communication management table sender for sending the 
communication management table of the manager side when the mismatch 
is found by the communication management table version checker, 

wherein the encryptor further includes a communication 
15 management table receiver for receiving the communication management 
table of the manager side from the manager, and 

wherein the communication management table memory of the 
encryptor side stores the communication management table of the manager 
side received by the communication management table receiver as the 
20 communication management table of the encryptor side. 

The communication management table transfer system of the 
invention, 

wherein the communication management table sender further sends 
the communication management table version of the manager side when the 
25 mismatch is found by the communication management table version checker, 
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wherein the communication management table receiver further 
receives the communication management table version of the manager side 
from the manager, and 

wherein the communication management table version memory of 
5 the encryptor side stores the communication management table version of 
the manager side received by the communication management table receiver 
as the communication management table version of the encryptor side. 

According to the present invention, a manager managing a 
communication management table used for communication among plural 
10 encryptors connected to each other through Internet includes: 

a communication management table memory of a manger side for 
storing a communication management table of the manager side which is the 
communication management table to be stored in the manager; 

a communication management table version memory of the manager 
15 side for storing a communication management table version of the manager 
side which is a version of the communication management table of the 
manager; 

a communication management table version receiver for receiving a 
communication management table version of an encryptor side which is a 
20 version of the communication management table of the encryptor side to be 
store in the encryptor from each of the plural encryptors; 

a communication management table version checker for checking 
and finding mismatch of the communication management table version of 
the encryptor side received and the communication management table 
25 version of the manager side; and 
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a communication management table sender for sending the 
communication management table of the manager side when the mismatch 
is found by the communication management table version checker. 

The manager of the invention, wherein the communication 
5 management table sender further sends the communication management 
table version of the manager side when the mismatch is found by the 
communication management table version checker. 

The manager of the invention further includes a communication 
management table updater of the manager side for updating the 
10 communication management table of the manager side and the 
communication management table version of the manager side 
corre spondingly. 

The manager of the invention further includes a communication 
management table update information receiver for receiving communication 
15 management table update information which is information to be updated 
within the communication management table of the manager side. 

According to the present invention, an encryptor connected to 
another encryptor through Internet and of which a communication 
management table used for communication is managed by a manager, the 
20 encryptor includes: 

a communication management table memory of an encryptor side for 
storing a communication management table of the encryptor side which is 
the communication management table to be stored in the encryptor; 

a communication management table version memory of the 
25 encryptor side for storing a communication management table version of the 



encryptor side which is a version of the communication management table of 
the encryptor side; 

a communication management table version sender for sending the 
communication management table version of the encryptor side to the 
manager; and 

a communication management table receiver for receiving a 
communication management table of a manager side which is the 
communication management table to be stored in the manager from the 
manager, and 

wherein the communication management table memory of the 
encryptor side stores the communication management table of the manager 
side received by the communication management table receiver as the 
communication management table of the encryptor side. 

The encryptor of the invnetion, wherein: 

the communication management table receiver further receives a 
communication management table version of the manager side which is a 
version of the communication management table of the manager side from 
the manager; and 

the communication management table version memory of the 
encryptor side stores the communication management table version of the 
manager side received by the communication management table receiver as 
the communication management table version of the encryptor side. 

The encryptor of the invention, wherein the communication 
management table includes a public key, and 

the encryptor further comprising: 



a secret key for secret key communication exchanger for sharing a 
secret key for secret communication used for secret communication with the 
other encryptor through the Internet, with the other encryptor by using the 
public key included in the communication management table of the 
5 encryptor side. 

The encryptor of the invention, wherein the communication 
management table includes a public key, and 

the encryptor further includes: 

an certification key for secret key communication exchanger for 
10 sharing an certification key for secret communication used for secret 
communication with the other encryptor through the Internet, with the other 
encryptor by using the public key included in the communication 
management table of the encryptor side. 

The encryptor of the invention, wherein: 
15 the other encryptor is connected to a subnet; and 

the communication management table includes subnet configuration 
information which is information related to a configuration of the subnet, 
and 

the encryptor further includes: 
20 an Internet communicating unit for communicating with the other 

encryptor through the Internet based on the subnet configuration 
information included in the communication management table of the 
encryptor side. 

According to the present invention, a method for transferring a 
25 communication management table used for a communication management 
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table transfer system including: 

plural encryptors connected to each other through Internet, each of 
which has a communication management table memory of an encryptor side 
for storing a communication management table of the encryptor side and a 
5 communication management table version memory for storing a 
communication management table version of the encryptor side; and 

a manager managing the communication management table used for 
communication among the plural encryptors, which has a communication 
management table memory of a manager side for storing a communication 
10 management table of the manager side and a communication management 
table version memory for storing a communication management table 
version of the manager side, 

the method includes: 

sending the communication management table version of the 
15 encryptor side to the manager by the encryptor; 

receiving the communication management table version of the 
encryptor side from the encryptor by the manager; 

checking and finding mismatch of the communication management 
table version of the encryptor side received and the communication 
20 management table version of the manager side by the manager; 

sending the communication management table of the manager side 
by the manager when the mismatch is found by the checking and finding; 

receiving the communication management table of the manager side 
from the manager by the encryptor; and 
25 storing the communication management table of the manager side 
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received as the communication management table of the encryptor side by 
the encryptor. 

Brief Explanation of the Drawings 
5 Fig. 1 shows a configuration of an encryptor according to the present 

embodiment. 

Fig. 2 shows a configuration of a manager according to the 
embodiment. 

Fig. 3 shows a transfer procedure of the communication management 
10 table on turning electric power on according to the embodiment. 

Fig. 4 shows a procedure for omitting the transfer of the 
communication management table on turning electric power on according to 
the embodiment. 

Fig. 5 shows a transfer procedure of the communication management 
15 table on rebooting according to the embodiment. 

Fig. 6 shows a procedure for omitting the transfer of the 
communication management table on rebooting according to the 
' embodiment. 

Fig. 7 shows a configuration of the communication management 
20 table according to the embodiment. 

Fig. 8 shows a configuration of the communication management 
table according to the embodiment. 

Fig. 9 shows a configuration of the communication management 
table according to the embodiment. 
25 Fig. 10 shows data flow on establishing SA. 
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Fig. 11 shows data flow on secret communication. 

Fig. 12 shows a case in which subnet configuration information is 

used. 

Fig. 13 shows a system in which virtual private network is employed. 
5 Fig. 14 shows a transfer procedure of the communication 

management table on turning electric power on according to the related art. 

Fig. 15 shows a transfer procedure of the communication 
management table on rebooting according to the related art. 

10 Best Mode for Carrying out the Invention 
Embodiment 1. 

In the following, the present invention will be explained referring to 
the figures showing an embodiment. 

Fig. 1 shows a configuration of an encryptor according the 
15 embodiment. A reference numeral 1001 shows a power controller, 1002 
shows a reboot controller, 1003 shows an initializer, 1004 shows a 
communication management table memory of the encryptor side, 1005 shows 
a communication management table version memory of the encryptor side, 
1006 shows a communication management table version encryptor, 1007 
20 shows an initialization completion notifier, 1008 shows a communication 
management table download controller, and 1009 shows a communication 
management table receiver. 

Fig. 2 shows a configuration of a manager according to the 
embodiment. A reference numeral 2001 shows a reboot instructor, 2002 
25 shows an initialization completion receiver, 2003 shows a communication 
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management table version decryptor, 2004 shows a communication 
management table memory of the manager side, 2005 shows a 
communication management table version memory of the manager side, 
2006 shows a communication management table version checker, 2007 
shows a communication management table download instructor, and 2008 
shows a communication management table sender. 

Fig. 3 shows a procedure of transferring the communication 
management table on turning an electric power on according to the 
embodiment. Hereinafter, this procedure will be described referring to the 
configurations shown in Figs. 1 and 2. 

At an encryptor All side, on turning electric power on, the power 
controller 1001 instructs initialization to the initializer 1003. When the 
initialization is completed, the initializer 1003 notifies the initialization 
completion notifier 1007 of completion of initialization. The initialization 
completion notifier 1007 sends an encryptor initialization completion notice 
(S301) to the initialization completion receiver 2002 of a manager 36. At 
this time, the encryptor initialization completion notice (S301) includes 
communication management table version encrypted by a public key of the 
manager 36. 

The communication management table version is stored in the 
communication management table version memory 1005 of the encryptor 
side. The communication management table version stored in the 
communication management table version memory 1005 of the encryptor 
side is made correspondence to the communication management table of the 
communication management table memory 1004 of the encryptor side. In 
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this example, the communication management table version memory 1005 of 
the encryptor side is included in the communication management table 
memory 1004 of the encryptor side, however, the communication 
management table version memory 1005 can be separated from the 
5 communication management table memory 1004 of the encryptor side. 

The communication management table version encryptor 1006 is 
configured to read the communication management table version from the 
communication management table version memory 1005 of the encryptor 
side, encrypt the communication management table version, and send the 
10 encrypted communication management table version to the initialization 
completion notifier 1007. 

At the manager 36 side, the initialization completion receiver 2002 
receives the encryptor initialization completion notice (S301), and the 
communication management table version decryptor 2003 decrypts the 
15 encrypted communication management table version. On the other hand, 
the communication management table checker 2006 reads the 
communication management table version stored at the manager 36 side 
from the communication management table version memory 2005 of the 
manager side. And then, the communication management table version 
20 checker 2006 compares these communication management table versions. 
Here, the communication management table version memory 2005 of the 
manager side is included in the communication management table memory 
2004 of the manager side, however, they can be separated as long as the 
communication management table is made correspondence to the 
25 communication management table version. 
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As a result of comparison, when two communication management 
table versions mismatch, the communication management table version 
checker 2006 notifies the mismatch to the communication management table 
download instructor 2007. 
5 On receiving the notice of the mismatch, the communication 

management table download instructor 2007 sends a communication 
management table download instruction (S302) to the communication 
management table download controller 1008 of the encryptor All. 

At the encryptor All side, on receiving the communication 

10 management table download instruction (S302), the communication 
management table download controller 1008 instructs the communication 
management table receiver 1009 to obtain the communication management 
table to receive the communication management table according to the 
procedure of file transfer. 

15 On receiving the instruction to obtain the communication 

management table, the communication management table receiver 1009 
sends a command to obtain the communication management table (S103) to 
the communication management table sender 2008 of the manager 36. 

At the manager 36 side, on receiving the command to obtain the 

20 communication management table (S103), the communication management 
table sender 2008 reads the communication management table from the 
communication management table memory 2004 of the manager side, and 
transfers the file of the communication management table to the 
communication management table receiver 1009 of the encryptor All (S104). 

25 At the encryptor All side, on finishing receiving the communication 
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management table, the communication management table receiver 1009 
notifies the communication management table download controller 1008 of 
the completion of obtaining the communication management table. The 
communication management table download controller 1008 sends response 
5 to the communication management table download instruction (S105) to the 
communication management table download instructor 2007 of the manager 
36. Further, the communication management table receiver 1009 stores the 
received communication management table in the communication 
management table memory 1004 of the encryptor side. 

10 In the above example, the file of the communication management 

table including the communication management table version is transferred 
and stored in the communication management table memory 1004 of the 
encryptor side. However, the communication management table version 
can be separated from the communication management table. Namely, the 

15 file of the communication management table without the communication 
management table version and the file of the communication management 
table version can be transferred separately. 

In this way, when the communication management table versions 
mismatch, the communication management table is transferred from the 

20 manager 36 to the encryptor All. Further, the communication 
management table version is also transferred. 

Fig. 4 shows a procedure of omitting the transfer of communication 
management table on turning an electric power on. Hereinafter, this 
procedure will be explained referring to the configuration shown in Figs. 1 

25 and 2. 
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The procedure up to the step where the communication management 
table version checker 2006 compares the communication management table 
versions is the same as described above. 

As a result of comparison, when the communication management 
5 table versions match, the communication management table version checker 
2006 notifies the match to the initialization completion receiver 2002. 

The initialization completion receiver 2002 sends response to the 
encryptor initialization completion notice (SI 02) to the initialization 
completion notifier 1007. When the initialization completion notifier 1007 
10 receives the encryptor initialization completion notice (Si 02), the procedure 
terminates. Namely, the communication management table is not 
transferred in case that the communication management table versions 
match. 

The timing at which the encryptor All sends the communication 
15 management table version and the manager 36 checks the communication 
management table version is not limited to the timing of initialization. It 
can be another timing, for example, the timing of reboot, or a certain 
periodical timing. 

Fig. 5 shows a procedure of transferring the communication 
20 management table on rebooting according to the embodiment. Further, Fig. 
6 shows a procedure of omitting the transfer of the communication 
management table on rebooting according to the embodiment. The 
procedures are the same as ones shown in Figs. 3 and 4 except that the 
procedures start at rebooting based on a reboot instruction (S201) and a 
25 reboot instruction response (S202). 
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In the following, the configuration of the communication 
management table will be explained. Figs. 7, 8, and 9 show the 
configuration of the communication management table according to the 
present embodiment. 
5 As well as a communication management table version 90, the 

communication management table includes Internet communication 
information such as Internet communication information A50, Internet 
communication information B60, and so on and subnet configuration 
information such as subnet configuration information A70, subnet 

10 configuration information B80, and so on. 

The Internet communication information A50 is necessary for the 
encryptor All on communicating with another encryptor through the 
Internet 1. The Internet communication information B60 is also necessary 
for the encryptor B21 on communicating with another encryptor through the 

15 Internet 1. 

Reference numerals 51, 61 show Internet addresses, 52, 62 show 
identifiers for the encryptors, 53, 63 show certificates, and 54, 64 show 
effective dates. The certificate includes the public key for SA. 

The subnet configuration information A70 is information related to 
20 the configuration of a subnet 14. The figure shows information for one 
record, however, another record may be added when many communication 
terminals are included in the configuration of the subnet 14. This is the 
same as for the subnet configuration information B80. 

Reference numerals 71, 81 show identifiers of the encryptors, 72, 82 
25 show network addresses, and 73, 83 show net masks. 
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In case of an example shown in Fig. 7, the communication 
management table version 90 includes one version, corresponding to the 
updated status of the whole communication management table. 

In case of an example shown in Fig. 8, the communication 
5 management table version 90 includes plural versions such as encryptor A 
information version 91, encryptor B information version 92, and so on. The 
encryptor A information version 91 corresponds to the updated status of the 
Internet communication information A50 and the subnet configuration 
information A70, and so on (including another subnet configuration 

10 information, if there exists any). 

In case of an example shown in Fig. 9, the communication 
management table version 90 is subdivided and includes versions of 
encryptor A Internet communication information version 93, encryptor A 
subnet configuration information version 94, encryptor B Internet 

15 communication information version 95, encryptor B subnet configuration 
information version 96, and so on. The encryptor A Internet communication 
information version 93 corresponds to the updated status of the Internet 
communication information A50. The encryptor A subnet configuration 
information version 94 corresponds to the updated status of the subnet 

20 configuration information A70, and so on (including another subnet 
configuration information, if there exists any). 

In cases of Figs. 8 and 9, it is possible to correspond the version to 
each information by storing a device identifier or an information identifier 
corresponding to each version. 

25 The manager 36 includes a communication management table 
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update information receiver (not shown in the figure) receiving 
communication management table update information, which is information 
to be updated within the communication management table, and a 
communication management table updater of the manager side (not shown 
5 in the figure) updating the communication management table of the 
manager side and the communication management table version of the 
manager side correspondingly. 

In case shown in Fig. 7, the communication management table 
update information receiver updates the communication management table 

10 version 90 on receiving the communication management table update 
information from any of the encryptors. In case shown in Fig. 8, the 
communication management table update information receiver updates 
either of or both of the Internet communication information A50 and the 
subnet configuration information A70, and further updates the information 

15 version 91 for the encryptor A. In case shown in Fig. 9, on receiving the 
communication management table update information from the encryptor 
All, the communication management table update information receiver 
checks whether it is required to update either of or both of the 
communication management table update information related to the 

20 Internet communication information A50 and the communication 
management table update information related to the subnet configuration 
information A70 and updates the communication management table update 
information. Further, the communication management table update 
information receiver updates either of or both of the Internet communication 

25 information version 93 for the encryptor A and the subnet configuration 
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information version 94 for the encryptor A corresponding to the 
communication management table update information. 

In case of subdividing the communication management table version 
as shown in Figs. 8 and 9, it is also effective that the communication 
5 management table version checker 2006 compares the communication 
management table version for each subdivided version, and only part of the 
mismatched version of the communication management table can be 
transferred by communication management table transfer (S104). In such 
a case, information indicating the transferred part is added to the 

10 communication management table download instruction (S302). The 
communication management table receiver 1009 updates only the indicated 
part of the communication management table memory 1004 of the encryptor 
side and also updates only the indicated part of the communication 
management table version memory 1005 of the encryptor side. 

15 Next, an operation of establishing SA using the public key for SA 

included in the communication management table will be explained. Fig. 
10 shows data flow on establishing SA. In this example, the encryptor All 
requests to establish SA, and the encryptor B21 responds to the request for 
establishing SA. Each encryptor has a secret key memory 1013 for SA 

20 storing a secret key for SA of its own encryptor and a certification key and 
secret key for secret communication exchanger 1010 for sharing a secret key 
1011 for secret communication and a certification key 1012 for secret 
communication. The certification key and secret key for secret 
communication exchanger 1010 is configured so as to input the secret key for 

25 SA of its own encryptor and the public key for SA of the partner's encryptor. 
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The certification key and secret key for secret communication 
exchanger 1010 of the encryptor All generates a random number Xa, 
signatures, encrypts, and sends to the encryptor B21 (S501). The 
certification key and secret key for secret communication exchanger 1010 of 
5 the encryptor B21 generates a random number Xb. The certification key 
and secret key for secret communication exchanger 1010 of the encryptor 
B21 generates the secret key 1011 for secret communication and the 
certification key 1012 for secret communication by combining the random 
number Xb with the random number Xa. Further, the certification key and 

10 secret key for secret communication exchanger 1010 of the encryptor B21 
signatures and encrypts hashed values of Xb and Xa, and sends them to the 
encryptor All (S502). The certification key and secret key for secret 
communication exchanger 1010 of the encryptor All generates the secret 
key 1011 for secret communication and the certification key 1012 for secret 

15 communication by combining the random numbers Xa and Xb, and checks 
the received hashed values. Further, the certification key and secret key for 
secret communication exchanger 1010 of the encryptor All sends the hashed 
value of the random number Xb to the encryptor B21 (S503). The 
certification key and secret key for secret communication exchanger 1010 of 

20 the encryptor B21 checks the received hashed value. Through the above 
procedure, SA is established. Consequently, both partners obtain the secret 
key 1011 for secret communication and the certification key 1012 for secret 
communication shared with each other. 

In the following, an operation of the secret communication performed 

25 after establishing SA will be explained. Fig. 11 shows data flow of the secret 
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communication. In this example, the encryptor All sends data, and the 
encryptor B21 receives the data. The illustrated communication is only one 
of examples, since the communication can be bidirectional between the 
encryptors which have already established SA. 
5 Each encryptor includes an Internet communication unit 1014 and a 

subnet communication unit 1015. The Internet communication unit 1014 
controls the communication through the Internet 1, and the subnet 
communication unit 1015 controls the communication through the subnet. 

In the Internet communication unit 1014 at the sender side, an 

10 encryption unit 1016, a certification unit 1017, and an encapsulation unit 
1018 operate. In the Internet communication unit 1014 at the receiver side, 
a certification unit 1019, a decryption unit 1020, and a decapsulation unit 
1021 operate. Within these operations, the secret key 1011 for secret 
communication is used for encryption algorithm, and the certification key 

15 1012 for secret communication is used for authentication algorithm. 

Further, the subnet configuration information included in the 
communication management table is used for communication to the subnet 
connected to another encryptor. As shown in Fig. 12, the subnet 
configuration information is used within the Internet communication unit 

20 1014. 

Industrial Applicability 

According to the present invention, the communication management 
table version is managed between the manager and the encryptor. When 
25 the communication management tables are judged as identical between the 
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manager and the encryptor, the transfer of the communication management 
table is omitted. Therefore, the number of transferring the communication 
management table is reduced, which enormously improves performance and 
security of data communication. 
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Claims 

1. A communication management table transfer system comprising: 
plural encryptors connected to each other through Internet; and 
a manager which manages the communication management table 
5 used for communication among the plural encryptors, 
wherein each of the plural encryptors includes: 

a communication management table memory of an encryptor side for 
storing a communication management table of the encryptor side which is 
the communication management table to be stored in the each of the plural 
10 encryptors; 

a communication management table version memory of the 
encryptor side for storing a communication management table version of the 
encryptor side which is a version of the communication management table of 
the encryptor side; and 
15 a communication management table version sender for sending the 

communication management table version of the encryptor side to the 
manager, 

wherein the manager includes: 

a communication management table memory of a manger side for 
20 storing a communication management table of the manager side which is the 
communication management table to be stored in the manager; 

a communication management table version memory of the manager 
side for storing a communication management table version of the manager 
side which is a version of the communication management table of the 
25 manager side; 
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a communication management table version receiver for receiving 
the communication management table version of the encryptor side from the 
encryptor; 

a communication management table version checker for checking 
5 and finding mismatch of the communication management table version of 
the encryptor side received and the communication management table 
version of the manager side; and 

a communication management table sender for sending the 
communication management table of the manager side when the mismatch 
10 is found by the communication management table version checker, 

wherein the encryptor further includes a communication 
management table receiver for receiving the communication management 
table of the manager side from the manager, and 

wherein the communication management table memory of the 
15 encryptor side stores the communication management table of the manager 
side received by the communication management table receiver as the 
communication management table of the encryptor side. 
2. The communication management table transfer system of claim 1, 

wherein the communication management table sender further sends 
20 the communication management table version of the manager side when the 
mismatch is found by the communication management table version checker, 
wherein the communication management table receiver further 
receives the communication management table version of the manager side 
from the manager, and 
25 wherein the communication management table version memory of 
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the encryptor side stores the communication management table version of 
the manager side received by the communication management table receiver 
as the communication management table version of the encryptor side. 
3. A manager managing a communication management table used for 

5 communication among plural encryptors connected to each other through 
Internet comprising: 

a communication management table memory of a manger side for 
storing a communication management table of the manager side which is the 
communication management table to be stored in the manager; 

10 a communication management table version memory of the manager 

side for storing a communication management table version of the manager 
side which is a version of the communication management table of the 
manager; 

a communication management table version receiver for receiving a 
15 communication management table version of an encryptor side which is a 
version of the communication management table of the encryptor side to be 
store in the encryptor from each of the plural encryptors; 

a communication management table version checker for checking 
and finding mismatch of the communication management table version of 
20 the encryptor side received and the communication management table 
version of the manager side; and 

a communication management table sender for sending the 
communication management table of the manager side when the mismatch 
is found by the communication management table version checker. 
25 4. The manager of claim 3, wherein the communication management 
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table sender further sends the communication management table version of 
the manager side when the mismatch is found by the communication 
management table version checker. 

5. The manager of claim 3 further comprising a communication 
5 management table updater of the manager side for updating the 

communication management table of the manager side and the 
communication management table version of the manager side 
corr e sp o n din gly. 

6. The manager of claim 5 further comprising a communication 
10 management table update information receiver for receiving communication 

management table update information which is information to be updated 
within the communication management table of the manager side. 

7. An encryptor connected to another encryptor through Internet and of 
which a communication management table used for communication is 

15 managed by a manager, the encryptor comprising: 

a communication management table memory of an encryptor side for 
storing a communication management table of the encryptor side which is 
the communication management table to be stored in the encryptor; 

a communication management table version memory of the 
20 encryptor side for storing a communication management table version of the 
encryptor side which is a version of the communication management table of 
the encryptor side; 

a communication management table version sender for sending the 
communication management table version of the encryptor side to the 
25 manager; and 
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a communication management table receiver for receiving a 
communication management table of a manager side which is the 
communication management table to be stored in the manager from the 
manager, and 

wherein the communication management table memory of the 
encryptor side stores the communication management table of the manager 
side received by the communication management table receiver as the 
communication management table of the encryptor side. 

8. The encryptor of claim 7, wherein: 

the communication management table receiver further receives a 
communication management table version of the manager side which is a 
version of the communication management table of the manager side from 
the manager; and 

the communication management table version memory of the 
encryptor side stores the communication management table version of the 
manager side received by the communication management table receiver as 
the communication management table version of the encryptor side. 

9. The encryptor of claim 7, wherein the communication management 
table includes a public key, and 

the encryptor further comprising: 

a secret key for secret key communication exchanger for sharing a 
secret key for secret communication used for secret communication with the 
other encryptor through the Internet, with the other encryptor by using the 
public key included in the communication management table of the 
encryptor side. 
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10. The encryptor of claim 7, wherein the communication management 
table includes a public key, and 

the encryptor further comprising: 

an certification key for secret key communication exchanger for 
5 sharing an certification key for secret communication used for secret 
communication with the other encryptor through the Internet, with the other 
encryptor by using the public key included in the communication 
management table of the encryptor side. 

11. The encryptor of claim 7, wherein: 

10 the other encryptor is connected to a subnet; and 

the communication management table includes subnet configuration 
information which is information related to a configuration of the subnet, 
and 

the encryptor further comprising: 
15 an Internet communicating unit for communicating with the other 

encryptor through the Internet based on the subnet configuration 
information included in the communication management table of the 
encryptor side. 

12. A method for transferring a communication management table used 
20 for a communication management table transfer system including: 

plural encryptors connected to each other through Internet, each of 
which has a communication management table memory of an encryptor side 
for storing a communication management table of the encryptor side and a 
communication management table version memory for storing a 
25 communication management table version of the encryptor side; and 
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a manager managing the communication management table used for 
communication among the plural encryptors, which has a communication 
management table memory of a manager side for storing a communication 
management table of the manager side and a communication management 
table version memory for storing a communication management table 
version of the manager side, 

the method comprising: 

sending the communication management table version of the 
encryptor side to the manager by the encryptor; 

receiving the communication management table version of the 
encryptor side from the encryptor by the manager; 

checking and finding mismatch of the communication management 
table version of the encryptor side received and the communication 
management table version of the manager side by the manager; 

sending the communication management table of the manager side 
by the manager when the mismatch is found by the checking and finding; 

receiving the communication management table of the manager side 
from the manager by the encryptor; and 

storing the communication management table of the manager side 
received as the communication management table of the encryptor side by 
the encryptor. 
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Abstract 

The present invention relates to a communication management table 
transfer system including plural encryptors mutually connected through the 
Internet and a manager which manages the communication management 
5 table used for the communication among the plural encryptors. The 
invention aims to improve security and performance of the communication. 

On receiving a communication management table version from an 
encryptor 11 (S301), a manager 36 compares the received communication 
management table version with the communication management table 
10 version stored in a communication management table version memory 2005 
of the manager side by using a communication management table checker 
2006. The manager 36 transfers the communication management table to 
the encryptor 11 only when the mismatch is found (S104). 
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therewith {list name and registration number) 



William L. Mathis 


17,337 


Ralph L. Freeland, Jr. 


Peter H. Smolka 


.15,913 


Robert G. Mukai 


Robert S. Swecker 




George A. Hovanec, Jr. 


Platon N. Mandros 


-22J24_ 


James A. LaBarre 


Benton S. Duffett, Jr. 




E. Joseph Gess 


Joseph R Magtione 


.J24.7.39 


R. Danny Huntington 


Norman H. Stepno 




Eric H. Weisblatt 


Ronald L. Gnidziecki 


24.970 


James W. Peterson 


Frederick G. Michaud, Jr. 


,26,003 


Teresa Stanek Rea 


Alan E. Kopecki 


25,813 


Robert E. Krebs 


Regis E. Slutter 


26.999 


Robert M. Schulman 


Samuel C. Miller 


27,360 





16,110 


William C. Rowland 


30,888 




T.Gene Dillahunty 






Anthony W. Shaw 


-10.104 


28,632 


Patrick C.Keane 


■J2J58 


28,510 


Bruce J. Boggs, Jr. 




'27^05— 


William H.Benz 


J25.952 


, 30,505^ 


Peter K. Skiff 


31,917 


_26J)57_ 


Richard J. McGrath 






Matthew L. Schneider 


_3_2.814 


^31,196 _ 


Michael G. Savage 
Gerald F. Swiss 


^ 32,596 
30,113 



mmMW&% : (* huRT/WM^) Direct Telephone Calls to. (name and telephone number) 

Platon N. Mandros 
703/836-6620 







j c ~~iX^J Fu " Name of so ' e or ^ inventor 

Noriko Takeda 






First inventor's signature Oate 


&m 




Residence 3 
Tokyo, Japan 


mm 




utizensmp 

Japan 






Post Office Address " 

c/o Mitsubishi Electric Systemware 

Corporation 
12-1, Yurakucho 1-chome, Chiyoda-ku, Tokyo 
100-0006, Japan 






Full Name of second joint inventor, if any 
^ ty Akihiko Sasamoto 






Second inventor's signature Date 


&m 




Residence ' / 
Tokyo, Japan 


mm 




Citizenship 

Japan 






Post Office Address 

c/o Mitsubishi Denki Kabushiki Kaisha 
2-3, Marunouchi 2-chome, Chiyoda-ku, Tokyo 
100-8310, Japan 



(|IHJ^|^(D*lWl|gr3g^icoV^-t & IWlillCfE^ (Supply similar information and signature for third and 
L- iflMit ^"t'-S " h) subsequent joint inventors.) 
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(Declaration and Power of Attorney for Patent Application— Japanese Language Declaration (PTO/SB/1 06) [1 -1 9]— page 3 of 4) 



Japanese Language Declaration 





Full Name of third joint inventor, if any 

Kazuyuki Adachi 




Third inventor's signature Date 


&m 


Residence * * 
Tokyo, Japanjy^K 


mm 


Citizenship 

Japan 




Post Office Address 

c/o Mitsubishi Denki Kabushiki Kaisha 
2-3, Marunouchi 2-chome, Chiyoda-ku, 
Tokyo 100-8310, Japan 






Full Name of fourth joint inventor, if any 
Seiichi Shinoda 


jseshh*©** b fi- 


Fourth inventor's signature Date 


tter 


Residence ——Xj$/ " 
Tokyo, Japan -JtfA 




Citizenship 

Japan 




Post Office Address 

c/o Mitsubishi Denki Kabushiki Kaisha 
2-3, Marunouchi 2-chome, Chiyoda-ku, 
Tokyo 100-8310, Japan 






Full Name of fifth joint inventor, if any 




Fifth inventor's signature Date 




Residence 




Citizenship 


««» 


Post Office Address 



1g^^fcpJ^E!F}:g-<K> ft^S " ~ W Name of sixth pint inventor, if any 



' H# Sixth inventor's signature Date 



^grf Residence 
rjj^t Citizenship 
fAWffii — ~" Post Office Address 



(|g-fcr^ tc tt^ttiSk&o&ffl^ 8M#lz.%i L"C hf^U (Supply similar information and signature for seventh 
ft'lf #82$. U 5 !^ £:SH£i~ 5 - t o ) and subsequent joint inventors.) 



Form PTO-FB-265 (8-83) 
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